Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Local Command Authorization problem?

Hi,I have configured command authorization in my ASA with tacacs and also i have configured shell command authorization for different users in ACS4.2. when im using ACS for command authorization there is no problem ,but when i disconnect my connection to ACS from ASA, i stock in configuration even i have configured aaa authorization command TACACS LOCAL but when connection to ACS is lost i get very limited access to my asa(LOCAL is configured end of the above command) also i have configured user with Priv 15 so when i log in to my asa with this local user i have limited access even its Priv level is 15,so do i have to configure any thing else to give me full access in level 15 when there is no access to ACS and aaa authorization command <server group> LOCAL is configured?? thanks

4 REPLIES

Re: ASA Local Command Authorization problem?

Hi,

Please check this known bug,

CSCsj56051 Bug Details

AAA authorization commands LOCAL fallback broken

Symptom:

aaa authorization fallback to LOCAL fails, blocking some commands to be executed and displaying "Command authorization failed" error message even though local authorization should be granted.

Conditions:

TACACS+ server communication is lost, LOCAL is configured next in the list.

Workaround:

none.

Further Problem Description:

7.2.2 does not show this behavior.

8.0(3) does not show this behavior.

Regards,

~JG

Do rate helpful posts

Cisco Employee

Re: ASA Local Command Authorization problem?

Hi,

Further to JG update; I also came across this defect and i did a lab recreate for LOCAL command authorization on 8.0.3 and confirmed the issue has fixed.

Now with your current config and code 8.0.x you can access or run any command with privilege 15 user. However for read only access with LOCAL authorization you need to update your config with lots of command.

HTH

JK

Plz rate helpful posts-

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: ASA Local Command Authorization problem?

Thank you guys very much,but what about FWSM 3.2 image?becuse now I'm going to config it on 3.2 os!

New Member

Re: ASA Local Command Authorization problem?

Hello,

   I had the same problem and found out that the problem exists on 8.0.2

I had to downgrade to 7.2.1, remove aaa authorization command and reboot to 8.0.2 again to have normal rights.

Kind regards

866
Views
8
Helpful
4
Replies